Enter the Dragon

Exploring the Internet Networking Context of China

Pekka Andelin
Malware Analyst
Lavasoft AB, Gothenburg Sweden

The rapid expansion of Internet usage in China has enabled several kinds of global online interaction. Such interaction - including social networking and the exchange of messages and files - exposes users to varying kinds of malicious scripting, spyware/malware, possible eavesdropping and different types of social engineering. Such risks have to be combated and minimized in order to secure a free and safe flow of information between the involved parties, to provide information assurance and to protect system integrity and user privacy. This article's objective is to explore the Internet networking context of China in order to identify possible IT-security related problems that may be taken up for further discussion.

The China-Italy-Germany Connection

There has been a significant expansion of Internet usage in China since the first connection between the Chinese Institute of Computer Applications (ICA) in Beijing and the German Karlsruhe University was made in 1987. September 20 of that year represents a starting point; an e-mail connection between the People's Republic of China and the Federal Republic of Germany was realized with the help of the World Bank's investments and many other contributing factors. In a time - the early 1980's - when the export restrictions of the United States government prevented the export of computers to China, the World Bank supported the import of computers to be used by Chinese universities. The export of German Siemens-powered computers became a reality as a part of the "World Bank Chinese University Development Project II."

The Chinese Institute of Computer Applications, which falls under the Chinese State Commission of Machinery Industry, came to play an important role in the Germany-China e-mail project, lasting from 1987 to 1994. The exchange of e-mails needed a packet-switched network path that could carry e-mail traffic between the two countries. This path (X.25) needed to be created. The initial carrier path was realized with the help of the Beijing Telecommunications, PKTELCOM, data network and an Italian carrier company, Italcable, which possessed a few leased lines between Italy and China. In this way, the network connection between Germany and China was routed through Italy. The very first e-mail message, which carried the subject line "First Electronic Mail from China to Germany," stated "Across the Great Wall we can reach every corner in the world". This small step came to be a giant leap in offering global online communication capabilities. Even if the global reachability was a fact in 1987 the main aspect lacking was approval by the US National Science Foundation (NSF), which founded the Computer Science Network (CSNET.) The project was approved by NSF in late 1987. The .CN country code domain name for China was registered by ICA in November 1990, along with the help of the Karlsruhe University, responsible for running the primary domain name server for .CN within its premises. This made e-mailing with China's domain name possible by early 1991. (The root server for the top level .CN domain was relocated from Germany to China on May 21st, 19941).

The spread of knowledge relating to global computer networking was encouraged by the Chinese government and the scientific and computer communities came to be the "cores of knowledge" in this arena. Global cooperation, along with the technological achievements, accelerated. One such achievement was that the Institute for High Energy Physics (IHEP), falling under the Chinese Academy of Science, began cooperating with its partner in the US, the Stanford Linear Accelerator Center (SLAC), opening up an e-mail connection in 1989. Another achievement was that a public infrastructure for e-mail exchange within China was developed. The establishment of a full Transmission Control Protocol and Internet Protocol (TCP/IP) connection between the US and China in mid 1994 marked an end of the "e-mail only" era in China, due to the fact that the protocols allow packets of data to take independent paths during transfer. This reduced the costs for sending e-mail and opened up services such as file transfer and Telnet (providing for remote log-on).2 The TCP/IP connectivity in China celebrated its tenth anniversary in 2004.

Moving Forward with Increased Bandwidth

China's connection to the Internet became official in September 1994 when the Chinese Post and Telecom Agency reached an agreement with the US Department of Commerce. The agreement, stating that two copper-line carried connections of 64 Kbits and 2 Mbits were to be used for data transfer, marked the start for China Telecom's Internet service, CHINANET. The public was allowed access to Internet resources, via phone modems and Digital Data Networks (DDN), in early 1995.3

Statistics and Trends of China's Internet Connectivity

Statistical analysis reports from sources like China Internet Network Information Center (CNNIC), serve as relatively accurate indicators of the current situation in terms of Internet connectivity and user demographics. One should, however, be careful predicting trends and future development on the basis of such statistics as the development rates in China are difficult to predict. Even if some relations seems clear, there might be significant deviations due to factors such as the availability and maintenance of local networks, sales campaigns, political reforms, price-changes in the World Market, fashion whims, etc. Significant deviations may also be caused by changes in the methods of measurement and analysis, or by statistical bias. When looking at the development of Internet connectivity in China, many statistical reports show great growth in all areas. Possible deviations and bias in the statistical reports has to be taken into account when interpreting the results.3

Internet user totals and Internet penetration rate

The latest statistics from CNNIC, from June 2008, states that the total amount of Internet users, or "Netizens" (described by CNNIC as "any Chinese citizen aged 6 and above who have used the Internet in the past half a year"), in the People's Republic of China had increased to 253 million; this represents a rise of about 128% when compared to the 111 million stated by "The 17th Survey Report" in January 2006.4 As a comparison, Internetworldstats states that the amount of Internet users in North America has increased by about 128% between the years 2000 and 2008. The CNNIC statistics point to the fact that China has the highest number of Netizens in the world.5 Statistics from CIA confirms that China has the largest amount of Internet users (253 million) in the world based on information from 2008. The US has 223 million Internet users based on information from the same year.6

Internetworldstats states further that the current Internet penetration rate (percent of population) for the world averages at an estimated 23%. The Internet penetration rate is about 73% for North America and 48% for Europe.8 According to CNNIC, the Internet penetration rate in China reached around 19% by the end of June 2008. The increase in Internet penetration rate between 2005 and 2008 is stated to be around 11%.6

Distribution of connection types

CNNIC states that the proportion of Netizens accessing Internet via broadband connections reached 214 million by the end of June 2008, representing about 85% of the total amount of Netizens in China. The corresponding share was about 58% in 2006. CNNIC states further that about 73 million, representing 29% of the total, Chinese Netizens accessed the Internet using mobile phones between January and June 2008.67/p>

User demographics

The share of female Netizens was stated to be about 41% in 2006. During the first 6 months of 2008, the share of female Netizens had increased to about 46%. In 2006, about 71% of Netizens were represented by people under the age of 30. By the end of June 2008, the proportion of Netizens under the age of 30 was about 69%. The amount of new Netizens in the first half of 2008, up to the age of 30, totaled at about 29 million. A major proportion, 55%, of the Netizens in China are unmarried with a relatively low income (approximately 74% of the Netizens have an income less than RMB 2000/month or 292 USD/month). Approximately 75% of the Netizens reside in urban areas. Approximately 33 million, or 16%, of the Netizens live in Guangdon (Central China), approximately 18 million, or 8%, of the Netizens live in Jiangsu (East China) and approximately 15 million, or 7%, of the Netizens live in Zhejiang (East China). The number of Netizens living in Shanghai amounts to a relatively modest 8 million, representing 4%, followed by the 7 million Netizens, or 3.5%, that reside in Beijing. Almost half of the residents in both Beijing and Shanghai are Internet users. Provinces in Central China have the highest growth rate of Netizens, exceeding 70%.67

The proportion of Netizens with a high school degree was roughly 30% in 2006. This figure increased to 39% by June 2008. According to CNNIC, the total of Netizens with high school degrees, together with the total of Netizens with junior middle school degrees, account for 91% of the new Netizens in the first half of 2008. By 2008, the proportion of Netizens between the ages 31 to 50 was about 27%. Students represent the largest proportion of Netizens, about 30%. The amount of new Netizens from the students group tends to increase by about 2.7 million per month.67

Domain names, websites and IP addresses

In 2006 the total number of domain names registered amounted to approximately 2.5 million (about 1.1 million .CN domain names). By 2008 the total amount of domain names was over 14 million, rapidly approaching the 15 million mark with an annual growth rate of 62%. Approximately 80% of the registered domains in China were .CN domains and about 17% were .COM domains in 2008.

In 2006, the number of "WWW" websites was estimated at approximately 694, 000 (including .CN, .COM, .NET and .ORG). By 2008, the total amount of websites in China was about 1.9 million. The annual growth rate was stated to be about 46% in mid 2008. According to Netcraft, the total of websites in the world increased significantly in February 2009 as an estimated 20 million sites that are served by QZHTTP (the web server used by QQ to host the Chinese qq.com domain and the blogging service provided by Qzone) were added. In March 2009, the total amount of QQ hosted sites increased to an estimated 29 million, making the Qzone blogging service surpass other blogging services such as Google's Blogger and Microsoft's Windows Live Space.89

In 2006 the quantity of IP (IPv4) addresses totaled at an estimated 97 million, distributed between the Chinese mainland, Taiwan, Hong Kong and Macao. By 2008, the total number of IPs was 158 million (representing 6% of the world's total amount of IPv4 addresses).67

The three largest Internet Service Providers (ISPs), China Telecom, China Netcom and the China Education and Research Network (CERNET), dispose the majority of the IP addresses in China. Asia Pacific Network Information Center (APNI) has responsibility for the assignment/management of IP addresses within the Asia Pacific region including China. The five worldwide Regional Internet Registries (RIRs), one of which is APNIC, receive delegated Internet resources from The Internet Assigned Numbers Authority (IANA.) The RIRs then delegate resources to customers, for example ISPs, within their region in accordance with their regional policies. In order to simplify the procedures related to the acquirement of IP addresses, CNNIC allied with the major ISPs in China and created its own "IP Allocation Alliance" in late 2004. CNNIC is currently the only national distributor of IPs in China that has the possibility to apply for large numbers of IP addresses. Small operators in China may apply for IPs directly from CNNIC without a risk of being rejected by APNIC.10

International outlet bandwidth

The total bandwidth of leased international connections (including connections to the US, Russia, France, the United Kingdom, Germany, Japan, Korea, Singapore, etc.) was about 136,000 Mbps in 2006. By 2008, it totaled at about 494,000 Mbps (0.002 Mbps per Netizen), showing an annual growth rate of 58%.67

Computer equipment and surfing conditions

The total of computer hosts by January 2006 amounted to approximately 49 million. By 2008, the amount had increased to about 85 million (including all types of domestic computers accessible to the Internet). According to CNNIC, the semiannual growth rate of computers accessible to the Internet is approaching 9% (the increase of such computer units increased by nearly 7 million during the first half of 2008). Desktop computers are favored by about 87% of the Netizens. Laptops and mobile phones are, however, rapidly gaining in popularity and a constantly increasing proportion of the Netizens use laptops and mobile phones to access the Internet. The amount of valid mobile phone numbers reached 592 million in mid 2008. Approximately 73 million Netizens (about 29%) used their mobile phone to surf the Internet in mid 2008. The number of Netizens surfing the Internet with mobile phones in China is highly influenced by the mobile carrier companies and their promotional campaigns. An estimated 63% of the mobile phone surfers are male, and 86% are under 30 years of age.

According to the 17th Survey Report from January 2006, a percentage of about 70% accessed the Internet from home, 38% from work places, 27% from Internet cafes, 19% from schools, and 1% from other public places. The 22nd Survey Report from 2008 shows that the share of Netizens accessing the Internet from home had increased to about 74%. The proportion of users accessing the Internet from Internet cafes had increased to about 39%, showing a semiannual growth rate of 39% in mid 2008. The statistics further show that the proportion of users accessing Internet from their school had dropped from 19% in 2006 to 13% in mid 2008.67

Online activities and top Internet applications

Among the basic Internet applications, 77%, or 195 million, utilize different kinds of instant messaging. Approximately 69% of the users, or 175 million, utilize online search engines and about 63% of the users use e-mail services.

Digital entertainment, especially online music, is stated to be the top Internet application with 214 million users, representing 85% of the Netizens in China. In the digital entertainment arena 71%, or 180 million, of the users watch online video while 58%, or 148 million, of the users conduct online gaming. CNNIC reports that 53% of the online gamers in China favor online role-playing games and that the average "role-player" spends about 12 hours/week on gaming.

Among the network media, almost 82% of the users, or 206 million, watch online news. This means that watching online news is the second most popular online activity in China, closely ranked to the listening of online music. Approximately 42%, or 107 million, of the Internet users in China utilize some form of blog or personal space and 28%, or 70 million, of the users spend time upgrading their blog and/or personal space on the Internet.

In the arena of e-commerce, 25% of the users, or 63 million, conduct online shopping and 23% of the users, or 57 million, perform online payments on the Internet. In mid 2008, Shanghai (53%) followed by Beijing (39%) became the cities with the highest online shopping penetration rates in China. China will, however, increase the efforts to promote e-commerce development further in order to reach higher online shopping rates such as the ones in the US (66%) and South Korea (57%).

An estimated 39%, or 98 million, of Internet users in China access different types of online forums or bulletin board systems and approximately 23% of the Internet users publish posts on these channels. CNNIC states that the "development momentum of the online community is very powerful".

According to the 22nd Survey Report from mid 2008, 23%, or 59 million, of the Internet users in China conduct online banking and about 17%, or 43 million users, perform online stock/fund transactions. Online job hunting is conducted by 15%, or 38 million, of the users and online education services are utilized by 19%, or 47 million, of Chinese Internet users.

IT-Security Related Problems

Xu Rongsheng, the former deputy of the computer center at Beijing's Institute of High-Energy Physics (IHEP) and one of the most important Internet pioneers in China, expressed his opinion regarding the greatest challenge for the future development of the Internet in China.

"On the technical side, the Internet around the world and in China is quite vulnerable to hackers. Security capabilities are definitely quite weak, I think. My own institute and a lot of my friends are working on areas related to the Internet and they are asking me to help them to find ways to maintain the stable operation of the Internet and their applications."1

Spam

The initial China-Italy-Germany carrier path providing e-mail capabilities to the People's Republic of China did not just bring people together. It also opened up the possibility to send large quantities of unsolicited bulk e-mail, Spam. China shares this spam problem with the rest of the world, as it has become a global problem. Many spammers have pursued the opportunity to move several, or all, of their operations to China, installing servers at data centers operated by Chinese ISPs. Chinese spammers have also been hired by other stakeholders that see an opportunity to outsource their "spamming business." This became a major problem for the Chinese ISPs as reports showed that an estimated 47 billion spam messages hit the Chinese users in 2003, leading to a situation where over one billion hours were wasted in the processing of spam. This also generated an economic loss that totaled to approximately 581 million USD.

In order to combat spam more aggressively the Internet Society of China (ISC), published its first blacklist in late 2003, blocking a total of 225 spam-sending servers. The Netizens of China were not the only ones affected by the fact that spammers had been able to operate from China. The spam originating from China-based servers was, and still is, a global problem. In order to gain more knowledge about fighting spam, ISC contacted members of Spamhaus, an international organization tracking spam operations on the Internet.11 In order to circumvent language barriers and the Chinese blocking of access of foreign websites, Spamhaus set up a Chinese language version of the Spamhaus website. One reason for the difficulty of fighting spam originating from Chinese servers is the large number of Chinese ISPs that are able to close down and open new sites continuously. The spammers may, to use one example, pay a monthly "salary" to a Chinese resident for the service of paying a monthly fee to a national ISP in order to host websites. The spammers also use other tricks in order to hide their activities from the Chinese ISPs, such as using firewalls to either hide their sites from the ISPs (for instance, blocking them from accessing the page) or to route the ISPs to innocent looking sites.12 China has also become a member of the "London Action Plan", an International Spam Enforcement Cooperation that was formed in late 2004.13

China has tried to strengthen the protection against spam further by adopting the "Regulations on Internet E-Mail Services". The regulations became effective on March 30, 2006. This anti-spam law regulates the sending of e-mail messages while also regulating the providers of e-mail services. The law urges E-mail Service Providers (ESPs) to protect their e-mail services in such a manner that they avoid fraudulent utilization. ESPs are also urged to log the activities on the servers, making it easier to find evidence related to spamming. ESPs breaching the regulations may face serious penalties from the Chinese Ministry of Information Industry (MII).

The regulations are an additional step in the process of dealing with insecure and poorly administered mail servers that could be misused by spammers.14 According to statistics from 2008, China is still a member of the "Top 12" list of spam relaying countries. China's proportion of the total spam distributed amounts to 6%. This places China as number 4 on the list.15

Malware

A Google report from early 2008 states that 67% of the malware distribution servers, along with 64% of the websites that link to them, are located in China. This may point to the fact that the security practices of Chinese website administrators are inadequate.

Several exploitation strategies for installing malware on unprotected and unpatched computers exist, remote exploitation of vulnerable network services being one of them. The utilization of firewalls and Network Address Translators in order to block connection attempts against - and the exploitation of - vulnerable services make such attacks harder to perform. Another approach is to trick users into surfing to compromised websites that then are capable of redirecting users in order to expose them to malicious scripting. In order to do that, a web server has to be exploited, meaning that new content, such as a link, is added to the website hosted by the web server. When users click the injected link, they may be redirected to a location hosting a script capable of exploiting the browser. Websites hosting blogs, forums or billboard systems that allow users to post messages may also be exploited. Users should therefore not be allowed to post links that could expose them to exploiting scripts that could target vulnerabilities in the browser or its plugins. The exploitation of such vulnerabilities could result in a heavily compromised computer, capable of performing drive-by downloads of additional software when the user is routed to a certain location. The initial exploit scripts are often downloaded via an Inline Floating Frame (IFRAME) on the compromised webpage and the exploit script - targeting browser or plugin vulnerabilities - is often a JavaScript. Such attacks could be hindered if server administrators face their responsibility to protect their servers in a required manner. This would require updating the server with the most recent security patches and to keeping the software, such as forum, billboard and blog applications, updated.16

Another report by StopBadware.org, which bases its findings on data retrieved in May 2008, states that China hosts 52% of identified "badware" sites, more than any other country in the world. StopBadware.org is a partnership committed to protecting Internet and computer users against the threats posed by malicious software. StopBadware.org utilizes a list of active malicious websites provided by the Google Safe Browsing initiative. In May 2008, that list encompassed 213,575 websites.17

Google has access to the content of most webpages, as they continuously index the Web. In order to create the list of malicious websites, Google performs post-processing of webpages, looking for certain parameters that indicate malicious linking or coding. Examples of the detection criteria used by Google include elements such as IFRAMES pointing to locations known for hosting malware and heavily obfuscated code that could indicate a possible exploit along with malicious java scripting.17

It could be argued that China has a greater tolerance to threats represented by adware and spyware in comparison to countries in the western world. The usage of tracking cookies, pop-up ads and toolbars that installs without the explicit consent of users are commonly looked upon as "less desirable" by most anti-spyware/anti-virus companies in the western world. For example, adware such as CaiShow, Baidu, Zhongsou, Cinmeng, and Cinmus are frequently represented in the detection databases of most anti-spyware/anti-virus vendors in the western world. There have also been a higher number of legal disputes in the western world between adware vendors and representatives from the anti-spyware/anti-virus communities than in China. This has led to a situation where adware companies tend to distance themselves from - and avoid usage of -clearly malicious techniques.

In the Chinese context, the extensive usage of pop-up ads and tracking cookies has become more or less accepted. The main cause behind the creation of most malware is the hunt for monetary profit. The fact that money makes the world go around is also true for the malware-world. Even if there are many commercial producers of malware-like adware - which, in many cases, tend to walk the line between proper and improper practices, making these applications harder to classify for malware researchers - the flow of what could be called "classical malware" is rather constant. There is a great prevalence of ID theft programs in China, applications that are designed for password stealing or logging of keystrokes. The increased prevalence of such malware is closely related to the rapid expansion of IT and Internet connectivity in China. The fact that a constantly increasing amount of people utilize online services for e-mailing, banking, shopping, online payments and for different forms of entertainment attracts criminals that try to get hold of user's passwords and bank details in order to make and steal money.19 Sophos states that China accounts for approximately 11% of all malware. Password stealing malware and backdoor Trojans represent the greatest proportions of the stated percentage.14

Concluding Thoughts

The rapid expansion of IT, Internet connectivity and online networking has generated "digital living space" for the residents in China, at least for large proportions of the people living in urban areas. Analysis shows that it is difficult to predict future development in China as many parameters (for example political reforms) can influence future events. The greatest expansion takes place in the urban areas of China and it is hard to say if and when the people in the rural areas will be able to utilize the new technology. It seems likely that the Internet penetration rate, along with technological achievements, will continue to expand within the larger cities, creating even larger gaps in the technological level between urban and rural areas of China.

Additional points for further discussion

There is concern that the strong censorship of the Chinese government may impair people's freedom in their digital living space. It is easy to understand the objective of a certain amount of content filtering, but such filtering has always to be done in a balanced way in order to respect the privacy of users. The concept and means of content filtering could be a possible topic for further discussion.

Research shows that, by mid 2008, the majority of China's 253 million Netizens, or approximately 69%, were represented by people under the age of 30. The cities Guangdon, Jiangsu, Zhejang, Shanghai and Beijing have the most Internet users in China. Most of the Netizens are unmarried and almost three-quarters have a relatively low monthly income. It could, therefore, be argued that the purchasing power of this group of Netizens is relatively low (especially as 30% of the Netizens are students). This raises the need for low cost computer equipment, services, Internet access. If the Chinese government is willing to meet the needs of this group, and how the needs are to be met, could be possible topics for further discussion.

The proportion of users accessing the Internet from home and Internet cafes has increased significantly between 2006 and 2008. Accessing the Internet via public computers does not only raise the need for privacy protection during the sessions, but also for ways to securely delete private data when finishing the session. These problems, along with possible solutions, could be topics for further discussion.

The proportion of users accessing the Internet from school dropped between 2006 and 2008 showing a negative trend. The reasons for this are, however, unclear. The fact that approximately 73 million, or about 29%, of the Netizens accessed the Internet using mobile phones during the first half of 2008 raises security concerns. The concept and means of providing anti-spyware/anti-virus protection to mobile phone surfers in China could be a possible topic for further discussion. The amount of mobile phone Internet surfers are highly influenced by sales and promotion campaigns, from, to use one example, ISPs. The size of this group may therefore fluctuate significantly.

The amount of new websites is increasing rapidly, along with the amount of assigned IP addresses. The fact that CNNIC, being the only national distributor of IPs in China, has made it possible for the small operators to apply for a large number of IP addresses directly from CNNIC has simplified the acquisition process. This has also made it cheaper to acquire IP addresses for the large number of small ISPs in China. It could be argued that this may have had a negative effect, as the possibility to register IPs easily - with less control than by the former distributor of IPs, Asia Pacific Network Information Center - is exploited by spammers. The possibility of registering large numbers of IPs easily, at a low cost, could also be utilized for spreading rogue software in the future. This could be a possible topic for further discussion along with exploring if, and to what degree, CNNIC or the ISPs in China are responsible for the content served on the hosted websites.

China has had many problems related to spam, problems that mainly are caused by badly administrated servers and a low level of security consciousness among server administrators. China has done a lot to fight the problems, but still remains number 4 in the "Top 12" list of spam relaying countries. An estimated 67% of the malware distribution servers in the world are situated in China, along with 64% of the websites that link to them. The security practices of Chinese website administrators are inadequate. Servers have to be protected against exploits and the security consciousness of server administrators and ISPs has to be elevated. How this is to be achieved should be discussed further.

China accounts for 11% of all malware in the world. The responsibility for and plan for dealing with that fact could be discussed further. Another interesting discussion point in this topic is if and why China has a greater tolerance to threats represented by adware and spyware than the western world.

A majority of the Netizens in China listen to online music and watch online news. Social networking, blogging, utilizing forums and bulletin board systems are popular activities among the Netizens of China. The proportion of online shoppers is relatively low. Shanghai and Beijing have the highest online shopping penetration rates. Online role-playing is popular and the average "role-player" spends approximately 12 hours per week on gaming. China has approximately 59 million users performing online banking. The high number of compromised websites in China is a problem that should be addressed in order to protect the privacy of the large amount of Netizens that risk being routed to malicious content when clicking on links served by "reliable looking" websites. The high prevalence of malware such as password stealers and backdoor Trojans should also be combated. The ways to deal with these matters could be possible topics suitable for further discussion.